Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe
Resource
win10v2004-20241007-en
General
-
Target
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe
-
Size
1.0MB
-
MD5
100cea445f772150975b2397c107b45d
-
SHA1
467cbaa2f38ffaf1854663813e771d76f39dd07e
-
SHA256
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0
-
SHA512
3e78183889f6d190d5857c05526a65bcd8d5f03b570c37c457a6d3786daf181991f7a9773678824fd34211990c7b0657fab7d1cd763d38b99361780f8b756f4b
-
SSDEEP
24576:byjmFBJum+hEk2SbwG+Fo938n6zx4q7d7PE:OCJjARzdl938nEZ7c
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c8b-27.dat healer behavioral1/memory/760-28-0x0000000000660000-0x000000000066A000-memory.dmp healer -
Healer family
-
Processes:
budM97gi40.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection budM97gi40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" budM97gi40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" budM97gi40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" budM97gi40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" budM97gi40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" budM97gi40.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/5020-34-0x00000000025D0000-0x0000000002616000-memory.dmp family_redline behavioral1/memory/5020-36-0x0000000004B90000-0x0000000004BD4000-memory.dmp family_redline behavioral1/memory/5020-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-96-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-100-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-98-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-94-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-92-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-90-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/5020-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
plQj03VQ37.exeplkz35SO10.exeplEt55fG57.exebudM97gi40.execasv44Ni50.exepid Process 4196 plQj03VQ37.exe 3064 plkz35SO10.exe 372 plEt55fG57.exe 760 budM97gi40.exe 5020 casv44Ni50.exe -
Processes:
budM97gi40.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" budM97gi40.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exeplQj03VQ37.exeplkz35SO10.exeplEt55fG57.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plQj03VQ37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plkz35SO10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plEt55fG57.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
casv44Ni50.exe7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exeplQj03VQ37.exeplkz35SO10.exeplEt55fG57.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casv44Ni50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plQj03VQ37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plkz35SO10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plEt55fG57.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
budM97gi40.exepid Process 760 budM97gi40.exe 760 budM97gi40.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
budM97gi40.execasv44Ni50.exedescription pid Process Token: SeDebugPrivilege 760 budM97gi40.exe Token: SeDebugPrivilege 5020 casv44Ni50.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exeplQj03VQ37.exeplkz35SO10.exeplEt55fG57.exedescription pid Process procid_target PID 2912 wrote to memory of 4196 2912 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe 83 PID 2912 wrote to memory of 4196 2912 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe 83 PID 2912 wrote to memory of 4196 2912 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe 83 PID 4196 wrote to memory of 3064 4196 plQj03VQ37.exe 84 PID 4196 wrote to memory of 3064 4196 plQj03VQ37.exe 84 PID 4196 wrote to memory of 3064 4196 plQj03VQ37.exe 84 PID 3064 wrote to memory of 372 3064 plkz35SO10.exe 86 PID 3064 wrote to memory of 372 3064 plkz35SO10.exe 86 PID 3064 wrote to memory of 372 3064 plkz35SO10.exe 86 PID 372 wrote to memory of 760 372 plEt55fG57.exe 88 PID 372 wrote to memory of 760 372 plEt55fG57.exe 88 PID 372 wrote to memory of 5020 372 plEt55fG57.exe 95 PID 372 wrote to memory of 5020 372 plEt55fG57.exe 95 PID 372 wrote to memory of 5020 372 plEt55fG57.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe"C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
937KB
MD5a80adfefab4b196c3b5f98505c3937c5
SHA16e34307edbbf4d3935674fe5255a37222a776445
SHA256b479c94cc9f947d24a0f3ba7781be802c6227db9c0191daa9be7f957986761e4
SHA512eeee51ea4d7800282550a9ef75fb6cb402a6225b34e43511e6a8128435eea4bc3e57e76109518198cb5a4ec3f56fc4185c70e62805cc3482942f62a4a49b1da5
-
Filesize
667KB
MD5d65bb58147d325d09cc6bd41ce7ac921
SHA10f6412520a0e79b9ec1b850559a3c0f3d9a016ec
SHA256425dbf9332067e96a75f005275f2833f0ac64d569d7e2a423b88bb3ce00c8528
SHA512dfc913b966ab1f64d6412f39635a145832597652ec88fad0860fea0f3a845104a478e75eabba1b44471b65ba6e8f144eb8e4be329243a16e1f32c3a8712bd913
-
Filesize
392KB
MD5a4eca6e9bfdb86685646cbe06ba0350d
SHA1811d81d2adfaad8e1cccaf297a7bbabe90534fd7
SHA25672f120aa64a04495a899c675c0c93ed9fd01766519f2a528d6fff3da30671b99
SHA5124a25a32710cb2a8b5d163a52fc8535aafe3ec49883ac9cafd1a4503c9d7bfcd52d737a37c5c3ad6b95845a76b9a5b649b6dfc49f779e38279a87bd7ef834321f
-
Filesize
12KB
MD599e424546741eea90b6534de55068b27
SHA1fca6fd344b3a70ca90f124720796057466eff1dd
SHA256a4460ec4a7b91f662927f98ce5e972d2d5feecb806f99ec94b44b7c1a2745035
SHA5123235e7d02f92c8f660bf6a3746622bd50038973512b0d53927d016a908c39ec479e7e20e9a49eabd3a861f25fc9c064089b3562a7a17ab179a04f83101f003a7
-
Filesize
304KB
MD56940451e769c094029427d1531775121
SHA103c763ca8ebc6896fb35c9f8d4d3fc64d03fe850
SHA256ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca
SHA51253578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06